{"title":"关于安全风险场景的理解","authors":"I. Hogganvik, K. Stølen","doi":"10.1109/WPC.2005.27","DOIUrl":null,"url":null,"abstract":"Methods for security risk analysis are often based on structured brainstorming (e.g. what [F. Redmill et al., (1999)] calls HazOp). A structured brainstorming gathers a group of different system experts and the idea is that they will find more risks as a team than one-by-one. The CORAS modelling language [M. S. Lund et al., (2003)] has been designed to support the brainstorming process and to document security risk scenarios identified during these sessions. The language is graphical, based upon the Unified Modelling Language (UML) [R. E. Walpole et al., (1998)], and is recommended by OMG. This paper reports the results from two empirical experiments concerning the CORAS language. Our results show (1) many security risk analysis terms are used in the daily language and therefore well understood, but the more abstract or less frequently used terms can be a possible source for misunderstandings in a security analysis, and (2) the language's graphical icons make diagram \"navigation\" faster, but the diagrams are not necessarily understood more correctly than those without graphical icons.","PeriodicalId":421860,"journal":{"name":"13th International Workshop on Program Comprehension (IWPC'05)","volume":"19 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2005-05-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"25","resultStr":"{\"title\":\"On the comprehension of security risk scenarios\",\"authors\":\"I. Hogganvik, K. Stølen\",\"doi\":\"10.1109/WPC.2005.27\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Methods for security risk analysis are often based on structured brainstorming (e.g. what [F. Redmill et al., (1999)] calls HazOp). A structured brainstorming gathers a group of different system experts and the idea is that they will find more risks as a team than one-by-one. The CORAS modelling language [M. S. Lund et al., (2003)] has been designed to support the brainstorming process and to document security risk scenarios identified during these sessions. The language is graphical, based upon the Unified Modelling Language (UML) [R. E. Walpole et al., (1998)], and is recommended by OMG. This paper reports the results from two empirical experiments concerning the CORAS language. Our results show (1) many security risk analysis terms are used in the daily language and therefore well understood, but the more abstract or less frequently used terms can be a possible source for misunderstandings in a security analysis, and (2) the language's graphical icons make diagram \\\"navigation\\\" faster, but the diagrams are not necessarily understood more correctly than those without graphical icons.\",\"PeriodicalId\":421860,\"journal\":{\"name\":\"13th International Workshop on Program Comprehension (IWPC'05)\",\"volume\":\"19 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2005-05-15\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"25\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"13th International Workshop on Program Comprehension (IWPC'05)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/WPC.2005.27\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"13th International Workshop on Program Comprehension (IWPC'05)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/WPC.2005.27","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 25
摘要
安全风险分析的方法通常基于结构化的头脑风暴(例如[F]。Redmill等人(1999)]称之为HazOp。结构化的头脑风暴聚集了一组不同的系统专家,其想法是他们作为一个团队将比一个人发现更多的风险。CORAS建模语言[M]。S. Lund等人,(2003)]的设计是为了支持头脑风暴过程,并记录在这些会议中确定的安全风险场景。语言是图形化的,基于统一建模语言(UML) [R。E. Walpole et al., (1998)], OMG推荐使用。本文报道了关于CORAS语言的两个实证实验的结果。我们的结果表明:(1)许多安全风险分析术语在日常语言中使用,因此很容易理解,但更抽象或较少使用的术语可能是安全分析中误解的可能来源,(2)语言的图形图标使图表“导航”更快,但图表不一定比没有图形图标的图表更正确地理解。
Methods for security risk analysis are often based on structured brainstorming (e.g. what [F. Redmill et al., (1999)] calls HazOp). A structured brainstorming gathers a group of different system experts and the idea is that they will find more risks as a team than one-by-one. The CORAS modelling language [M. S. Lund et al., (2003)] has been designed to support the brainstorming process and to document security risk scenarios identified during these sessions. The language is graphical, based upon the Unified Modelling Language (UML) [R. E. Walpole et al., (1998)], and is recommended by OMG. This paper reports the results from two empirical experiments concerning the CORAS language. Our results show (1) many security risk analysis terms are used in the daily language and therefore well understood, but the more abstract or less frequently used terms can be a possible source for misunderstandings in a security analysis, and (2) the language's graphical icons make diagram "navigation" faster, but the diagrams are not necessarily understood more correctly than those without graphical icons.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
